The video conferencing application Zoom has had it’s share of security related problems lately. Any time they name a cyber-attack after you (Zoom bombing) it’s bound to be a bad thing. Zoom bombing, if you haven’t heard, is the video conference equivalent of photo bombing. Some miscreant sneaks into your meeting and takes over the screen to share some NSFW imagery or hate speech or cat videos. Zoom meeting videos have also been stolen and published publicly online.
According to cybersecurity and privacy guru Bruce Schneier, “In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.” Some of the worrisome problems that Schneier discusses are the use of AES-128 and ECB (Electronic Code Book) providing inadequate cryptographic security, that the encryption keys created to protect session are often routed through servers in China (keys subject to interception), and that some Zoom code is written in China (possible inclusion of backdoors?), and that
The problem with Zoom and most other video conferencing apps is that anyone with the meeting link or a meeting ID number can join. Some people have been posting screen shots of Zoom sessions on their Facebook feed. (Look mommy, I’m working from home!) The meeting ID is right there at the top of the screen shot. Since some meeting organizers often use the same meeting ID over and over, this also makes it easy for an attacker to join your current or a future meeting.
Zoom founder and CEO Eric Yuan has apologized to users, and put security on the fast track at Zoom. There have been several improvements. Removing the meeting ID from the screen frame is one that has little real value. And meeting organizers always had the options of changing meeting IDs, and requiring a password from people joining the meeting. This is now on by default, but can be easily disabled by the organizer.
The ability to have members held in a waiting room gives a meeting organizer the ability to selectively admit attendees. This is now on by default. Zoom has also made it simple to eject someone from a meeting as well.
According to a recent blog pot at Zoom:
“The most visible change that meeting hosts will see is an option in the Zoom meeting controls called Security. This new icon simplifies how hosts can quickly find and enable many of Zoom’s in-meeting security features.
Visible only to hosts and co-hosts of Zoom Meetings, the Security icon provides easy access to several existing Zoom security features so you can more easily protect your meetings.
By clicking the Security icon, hosts and co-hosts have an all-in-one place to quickly:
- Lock the meeting
- Enable the Waiting Room (even if it’s not already enabled)
- Remove participants
- Restrict participants’ ability to:
We recognize that various security settings in the Zoom client, while extremely useful, were also extremely scattered. The addition of this persistent Security icon helps augment some of the default Zoom security features in your profile settings and enables Zoom users to more quickly take action to prevent meeting disruption.
The Security icon replaces the Invite button in the meeting controls. The Invite button has been moved to the Participants panel, and hosts can add additional guests there.”
I am continuing to use Zoom as a teaching and training platform. I see no reason to switch to something else. At least we know that Zoom is fixing the platform. And many of the problems with Zoom are based on the failure of meeting organizers to use security controls that were already in the product.
The bad actors on the Internet have found some new playgrounds to play in, and are taking advantage of the security vulnerabilities inherent in the whole Work From Home situation. As usual, we just need to step it up and be a bit more vigilant. Stay safe online.
In Separate News:
Security and Privacy Implications of Zoom
Over the past few weeks, Zoom’s use has exploded since it became the video conferencing platform of choice in today’s COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds. Read more…
Dark web: Cybercriminals sell over 500,000 Zoom accounts
A new report from BleepingComputer found that cybercriminals are selling and trading the credentials for more than 500,000 Zoom accounts associated with companies like Chase and Citibank as well as schools like Dartmouth College, the University of Florida, and the University of Vermont. BleepingComputer’s Lawrence Abrams wrote that the account details, which were taken through previous credential stuffing attacks, are posted on a number of dark web sites and hacker forums after they are sorted through and put into lists. Abrams spoke with cybersecurity intelligence firm Cyble, which tried to warn victims after buying about 530,000 Zoom login details for about $0.0020 per account through a hacker forum. Cyble researchers told Abrams that the accounts they bought came with the email address, password, personal meeting URL, and HostKey of each victim. Read more…
Zoom Traffic Through China: Company Apologizes, Announces Data Routing Control
The news sent shock waves through corporations around the Western world. Zoom was routing some of its virtual meeting traffic, and the digital keys that keep the meetings confidential, through servers in China. The University of Toronto’s Citizen Lab found some North American Zoom meeting traffic went through Chinese servers. It did a test Zoom call between one user in the U.S. and another in Canada… Read more
Zoom Cybersecurity: Zero-Day Exploit Selling for $500K
Zoom-bombing created security concerns about Zoom as hackers and pranksters joined corporate and student meetings on the platform. While most did things that were inappropriate, at least they made their presence known. Now imagine a Zoom meeting where you are discussing proprietary information or intellectual property as a cybercriminal or nation-state hacker is secretly watching or recording it… Read more
Zoom is introducing this new feature in its bid to banish Zoom bombing
A new button allowing meeting participants to report users is Zoom’s latest attempt to bring its security features up to scratch.
More information:
- Schneier on Security
- Forbes
- TechRepublic
- SecureWorld
- Another from SecureWorld
- Another from TechRepublic
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com